1
/*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
2
/*-
3
 * The authors of this code are John Ioannidis ([email protected]),
4
 * Angelos D. Keromytis ([email protected]) and
5
 * Niels Provos ([email protected]).
6
 *
7
 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8
 * in November 1995.
9
 *
10
 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11
 * by Angelos D. Keromytis.
12
 *
13
 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14
 * and Niels Provos.
15
 *
16
 * Additional features in 1999 by Angelos D. Keromytis.
17
 *
18
 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19
 * Angelos D. Keromytis and Niels Provos.
20
 * Copyright (c) 2001, Angelos D. Keromytis.
21
 * Copyright (c) 2016 Andrey V. Elsukov <[email protected]>
22
 *
23
 * Permission to use, copy, and modify this software with or without fee
24
 * is hereby granted, provided that this entire notice is included in
25
 * all copies of any software which is or includes a copy or
26
 * modification of this software.
27
 * You may use this code under the GNU public license if you so wish. Please
28
 * contribute changes back to the authors under this freer than GPL license
29
 * so that we may further the use of strong encryption without limitations to
30
 * all.
31
 *
32
 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33
 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34
 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35
 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36
 * PURPOSE.
37
 */
38

39
/*
40
 * IPsec input processing.
41
 */
42

43
#include <sys/cdefs.h>
44
#include "opt_inet.h"
45
#include "opt_inet6.h"
46
#include "opt_ipsec.h"
47

48
#include <sys/param.h>
49
#include <sys/systm.h>
50
#include <sys/malloc.h>
51
#include <sys/mbuf.h>
52
#include <sys/domain.h>
53
#include <sys/protosw.h>
54
#include <sys/socket.h>
55
#include <sys/errno.h>
56
#include <sys/hhook.h>
57
#include <sys/stdarg.h>
58
#include <sys/syslog.h>
59

60
#include <net/if.h>
61
#include <net/if_var.h>
62
#include <net/if_enc.h>
63
#include <net/if_private.h>
64
#include <net/netisr.h>
65
#include <net/vnet.h>
66

67
#include <netinet/in.h>
68
#include <netinet/in_pcb.h>
69
#include <netinet/in_systm.h>
70
#include <netinet/ip.h>
71
#include <netinet/ip_var.h>
72
#include <netinet/ip_icmp.h>
73
#include <netinet/in_var.h>
74
#include <netinet/tcp_var.h>
75

76
#include <netinet/ip6.h>
77
#ifdef INET6
78
#include <netinet6/ip6_var.h>
79
#endif
80
#include <netinet/in_pcb.h>
81
#ifdef INET6
82
#include <netinet/icmp6.h>
83
#endif
84

85
#include <netipsec/ipsec.h>
86
#ifdef INET6
87
#include <netipsec/ipsec6.h>
88
#endif
89
#include <netipsec/ipsec_support.h>
90
#include <netipsec/ah_var.h>
91
#include <netipsec/esp.h>
92
#include <netipsec/esp_var.h>
93
#include <netipsec/ipcomp_var.h>
94
#include <netipsec/ipsec_offload.h>
95

96
#include <netipsec/key.h>
97
#include <netipsec/keydb.h>
98
#include <netipsec/key_debug.h>
99

100
#include <netipsec/xform.h>
101

102
#include <machine/in_cksum.h>
103

104
#define	IPSEC_ISTAT(proto, name)	do {	\
105
	if ((proto) == IPPROTO_ESP)		\
106
		ESPSTAT_INC(esps_##name);	\
107
	else if ((proto) == IPPROTO_AH)		\
108
		AHSTAT_INC(ahs_##name);		\
109
	else					\
110
		IPCOMPSTAT_INC(ipcomps_##name);	\
111
} while (0)
112

113
/*
114
 * ipsec_common_input gets called when an IPsec-protected packet
115
 * is received by IPv4 or IPv6.  Its job is to find the right SA
116
 * and call the appropriate transform.  The transform callback
117
 * takes care of further processing (like ingress filtering).
118
 */
119
static int
120
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
121
{
122
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
123
	union sockaddr_union dst_address;
124
	struct secasvar *sav;
125
	uint32_t spi;
126
	int error;
127

128
	IPSEC_ISTAT(sproto, input);
129

130
	IPSEC_ASSERT(m != NULL, ("null packet"));
131

132
	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
133
		sproto == IPPROTO_IPCOMP,
134
		("unexpected security protocol %u", sproto));
135

136
	if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
137
	    (sproto == IPPROTO_AH && !V_ah_enable) ||
138
	    (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
139
		m_freem(m);
140
		IPSEC_ISTAT(sproto, pdrops);
141
		return EOPNOTSUPP;
142
	}
143

144
	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
145
		m_freem(m);
146
		IPSEC_ISTAT(sproto, hdrops);
147
		DPRINTF(("%s: packet too small\n", __func__));
148
		return EINVAL;
149
	}
150

151
	/* Retrieve the SPI from the relevant IPsec header */
152
	if (sproto == IPPROTO_ESP)
153
		m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
154
	else if (sproto == IPPROTO_AH)
155
		m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
156
		    (caddr_t) &spi);
157
	else if (sproto == IPPROTO_IPCOMP) {
158
		u_int16_t cpi;
159
		m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
160
		    (caddr_t) &cpi);
161
		spi = ntohl(htons(cpi));
162
	}
163

164
	/*
165
	 * Find the SA and (indirectly) call the appropriate
166
	 * kernel crypto routine. The resulting mbuf chain is a valid
167
	 * IP packet ready to go through input processing.
168
	 */
169
	bzero(&dst_address, sizeof (dst_address));
170
	dst_address.sa.sa_family = af;
171
	switch (af) {
172
#ifdef INET
173
	case AF_INET:
174
		dst_address.sin.sin_len = sizeof(struct sockaddr_in);
175
		m_copydata(m, offsetof(struct ip, ip_dst),
176
		    sizeof(struct in_addr),
177
		    (caddr_t) &dst_address.sin.sin_addr);
178
		break;
179
#endif /* INET */
180
#ifdef INET6
181
	case AF_INET6:
182
		dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
183
		m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
184
		    sizeof(struct in6_addr),
185
		    (caddr_t) &dst_address.sin6.sin6_addr);
186
		/* We keep addresses in SADB without embedded scope id */
187
		if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
188
			/* XXX: sa6_recoverscope() */
189
			dst_address.sin6.sin6_scope_id =
190
			    ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
191
			dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
192
		}
193
		break;
194
#endif /* INET6 */
195
	default:
196
		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
197
		m_freem(m);
198
		IPSEC_ISTAT(sproto, nopf);
199
		return EPFNOSUPPORT;
200
	}
201

202
	/* NB: only pass dst since key_allocsa follows RFC2401 */
203
	sav = key_allocsa(&dst_address, sproto, spi);
204
	if (sav == NULL) {
205
		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
206
		    __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
207
		    (u_long) ntohl(spi), sproto));
208
		IPSEC_ISTAT(sproto, notdb);
209
		m_freem(m);
210
		return ENOENT;
211
	}
212

213
	if (sav->tdb_xform == NULL) {
214
		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
215
		    __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
216
		    (u_long) ntohl(spi), sproto));
217
		IPSEC_ISTAT(sproto, noxform);
218
		key_freesav(&sav);
219
		m_freem(m);
220
		return ENXIO;
221
	}
222

223
	/*
224
	 * Call appropriate transform and return -- callback takes care of
225
	 * everything else.
226
	 */
227
	error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
228
	return (error);
229
}
230

231
#ifdef INET
232
/*
233
 * IPSEC_INPUT() method implementation for IPv4.
234
 *  0 - Permitted by inbound security policy for further processing.
235
 *  EACCES - Forbidden by inbound security policy.
236
 *  EINPROGRESS - consumed by IPsec.
237
 */
238
int
239
ipsec4_input(struct mbuf *m, int offset, int proto)
240
{
241
	int error;
242

243
	error = ipsec_accel_input(m, offset, proto);
244
	if (error != ENXIO)
245
		return (error);
246

247
	switch (proto) {
248
	case IPPROTO_AH:
249
	case IPPROTO_ESP:
250
	case IPPROTO_IPCOMP:
251
		/* Do inbound IPsec processing for AH/ESP/IPCOMP */
252
		ipsec_common_input(m, offset,
253
		    offsetof(struct ip, ip_p), AF_INET, proto);
254
		return (EINPROGRESS); /* mbuf consumed by IPsec */
255
	default:
256
		/*
257
		 * Protocols with further headers get their IPsec treatment
258
		 * within the protocol specific processing.
259
		 */
260
		switch (proto) {
261
		case IPPROTO_ICMP:
262
		case IPPROTO_IGMP:
263
		case IPPROTO_IPV4:
264
		case IPPROTO_IPV6:
265
		case IPPROTO_RSVP:
266
		case IPPROTO_GRE:
267
		case IPPROTO_MOBILE:
268
		case IPPROTO_ETHERIP:
269
		case IPPROTO_PIM:
270
		case IPPROTO_SCTP:
271
			break;
272
		default:
273
			return (0);
274
		}
275
	};
276
	/*
277
	 * Enforce IPsec policy checking if we are seeing last header.
278
	 */
279
	if (ipsec4_in_reject(m, NULL) != 0) {
280
		/* Forbidden by inbound security policy */
281
		m_freem(m);
282
		return (EACCES);
283
	}
284
	return (0);
285
}
286

287
int
288
ipsec4_ctlinput(ipsec_ctlinput_param_t param)
289
{
290
	struct icmp *icp = param.icmp;
291
	struct ip *ip = &icp->icmp_ip;
292
	struct sockaddr_in icmpsrc = {
293
		.sin_len = sizeof(struct sockaddr_in),
294
		.sin_family = AF_INET,
295
		.sin_addr = ip->ip_dst,
296
	};
297
	struct in_conninfo inc;
298
	struct secasvar *sav;
299
	uint32_t pmtu, spi;
300
	uint32_t max_pmtu;
301
	uint8_t proto;
302

303
	pmtu = ntohs(icp->icmp_nextmtu);
304

305
	if (pmtu < V_ip4_ipsec_min_pmtu)
306
		return (EINVAL);
307

308
	proto = ip->ip_p;
309
	if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
310
	    proto != IPPROTO_IPCOMP)
311
		return (EINVAL);
312

313
	memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
314
	sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi);
315
	if (sav == NULL)
316
		return (ENOENT);
317

318
	key_freesav(&sav);
319

320
	memset(&inc, 0, sizeof(inc));
321
	inc.inc_faddr = ip->ip_dst;
322

323
	/* Update pmtu only if its smaller than the current one. */
324
	max_pmtu = tcp_hc_getmtu(&inc);
325
	if (max_pmtu == 0)
326
		max_pmtu = tcp_maxmtu(&inc, NULL);
327

328
	if (pmtu < max_pmtu)
329
		tcp_hc_updatemtu(&inc, pmtu);
330

331
	return (0);
332
}
333

334
/*
335
 * IPsec input callback for INET protocols.
336
 * This routine is called as the transform callback.
337
 * Takes care of filtering and other sanity checks on
338
 * the processed packet.
339
 */
340
int
341
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
342
    int protoff, struct rm_priotracker *sahtree_tracker)
343
{
344
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
345
	struct epoch_tracker et;
346
	struct ipsec_ctx_data ctx;
347
	struct xform_history *xh;
348
	struct secasindex *saidx;
349
	struct m_tag *mtag;
350
	struct ip *ip;
351
	int error, prot, af, sproto, isr_prot;
352

353
	IPSEC_ASSERT(sav != NULL, ("null SA"));
354
	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
355
	saidx = &sav->sah->saidx;
356
	af = saidx->dst.sa.sa_family;
357
	IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
358
	sproto = saidx->proto;
359
	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
360
		sproto == IPPROTO_IPCOMP,
361
		("unexpected security protocol %u", sproto));
362

363
	if (skip != 0) {
364
		/*
365
		 * Fix IPv4 header
366
		 */
367
		if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
368
			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
369
			    __func__, ipsec_address(&sav->sah->saidx.dst,
370
			    buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
371
			IPSEC_ISTAT(sproto, hdrops);
372
			error = ENOBUFS;
373
			goto bad_noepoch;
374
		}
375

376
		ip = mtod(m, struct ip *);
377
		ip->ip_len = htons(m->m_pkthdr.len);
378
		ip->ip_sum = 0;
379
		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
380
	} else {
381
		ip = mtod(m, struct ip *);
382
	}
383
	prot = ip->ip_p;
384
	/*
385
	 * Check that we have NAT-T enabled and apply transport mode
386
	 * decapsulation NAT procedure (RFC3948).
387
	 * Do this before invoking into the PFIL.
388
	 */
389
	if (sav->natt != NULL &&
390
	    (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
391
		udp_ipsec_adjust_cksum(m, sav, prot, skip);
392

393
	/*
394
	 * Needed for ipsec_run_hooks and netisr_queue_src
395
	 */
396
	NET_EPOCH_ENTER(et);
397

398
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
399
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
400
		goto bad;
401
	ip = mtod(m, struct ip *);	/* update pointer */
402

403
	/* IP-in-IP encapsulation */
404
	if (prot == IPPROTO_IPIP &&
405
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
406
		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
407
			IPSEC_ISTAT(sproto, hdrops);
408
			error = EINVAL;
409
			goto bad;
410
		}
411
		/* enc0: strip outer IPv4 header */
412
		m_striphdr(m, 0, ip->ip_hl << 2);
413
	}
414
#ifdef INET6
415
	/* IPv6-in-IP encapsulation. */
416
	else if (prot == IPPROTO_IPV6 &&
417
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
418
		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
419
			IPSEC_ISTAT(sproto, hdrops);
420
			error = EINVAL;
421
			goto bad;
422
		}
423
		/* enc0: strip IPv4 header, keep IPv6 header only */
424
		m_striphdr(m, 0, ip->ip_hl << 2);
425
	}
426
#endif /* INET6 */
427
	else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
428
		/*
429
		 * When mode is wildcard, inner protocol is IPv6 and
430
		 * we have no INET6 support - drop this packet a bit later.
431
		 * In other cases we assume transport mode. Set prot to
432
		 * correctly choose netisr.
433
		 */
434
		prot = IPPROTO_IPIP;
435
	}
436

437
	/*
438
	 * Record what we've done to the packet (under what SA it was
439
	 * processed).
440
	 */
441
	if (sproto != IPPROTO_IPCOMP) {
442
		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
443
		    sizeof(struct xform_history), M_NOWAIT);
444
		if (mtag == NULL) {
445
			DPRINTF(("%s: failed to get tag\n", __func__));
446
			IPSEC_ISTAT(sproto, hdrops);
447
			error = ENOMEM;
448
			goto bad;
449
		}
450

451
		xh = (struct xform_history *)(mtag + 1);
452
		bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
453
		xh->spi = sav->spi;
454
		xh->proto = sproto;
455
		xh->mode = saidx->mode;
456
		m_tag_prepend(m, mtag);
457
	}
458

459
	key_sa_recordxfer(sav, m);		/* record data transfer */
460

461
	/*
462
	 * In transport mode requeue decrypted mbuf back to IPv4 protocol
463
	 * handler. This is necessary to correctly expose rcvif.
464
	 */
465
	if (saidx->mode == IPSEC_MODE_TRANSPORT)
466
		prot = IPPROTO_IPIP;
467
	/*
468
	 * Re-dispatch via software interrupt.
469
	 */
470
	switch (prot) {
471
	case IPPROTO_IPIP:
472
		isr_prot = NETISR_IP;
473
		af = AF_INET;
474
		break;
475
#ifdef INET6
476
	case IPPROTO_IPV6:
477
		isr_prot = NETISR_IPV6;
478
		af = AF_INET6;
479
		break;
480
#endif
481
	default:
482
		DPRINTF(("%s: cannot handle inner ip proto %d\n",
483
			    __func__, prot));
484
		IPSEC_ISTAT(sproto, nopf);
485
		error = EPFNOSUPPORT;
486
		goto bad;
487
	}
488

489
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
490
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
491
		goto bad;
492

493
	/* Handle virtual tunneling interfaces */
494
	if (saidx->mode == IPSEC_MODE_TUNNEL)
495
		error = ipsec_if_input(m, sav, af, sahtree_tracker);
496
	else
497
		ipsec_sahtree_runlock(sahtree_tracker);
498
	if (error == 0) {
499
		error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
500
		if (error) {
501
			IPSEC_ISTAT(sproto, qfull);
502
			DPRINTF(("%s: queue full; proto %u packet dropped\n",
503
			    __func__, sproto));
504
		}
505
	}
506
	NET_EPOCH_EXIT(et);
507
	key_freesav(&sav);
508
	return (error);
509
bad:
510
	NET_EPOCH_EXIT(et);
511
bad_noepoch:
512
	ipsec_sahtree_runlock(sahtree_tracker);
513
	key_freesav(&sav);
514
	if (m != NULL)
515
		m_freem(m);
516
	return (error);
517
}
518
#endif /* INET */
519

520
#ifdef INET6
521
static bool
522
ipsec6_lasthdr(int proto)
523
{
524

525
	switch (proto) {
526
	case IPPROTO_IPV4:
527
	case IPPROTO_IPV6:
528
	case IPPROTO_GRE:
529
	case IPPROTO_ICMPV6:
530
	case IPPROTO_ETHERIP:
531
	case IPPROTO_PIM:
532
	case IPPROTO_SCTP:
533
		return (true);
534
	default:
535
		return (false);
536
	};
537
}
538

539
/*
540
 * IPSEC_INPUT() method implementation for IPv6.
541
 *  0 - Permitted by inbound security policy for further processing.
542
 *  EACCES - Forbidden by inbound security policy.
543
 *  EINPROGRESS - consumed by IPsec.
544
 */
545
int
546
ipsec6_input(struct mbuf *m, int offset, int proto)
547
{
548
	int error;
549

550
	error = ipsec_accel_input(m, offset, proto);
551
	if (error != ENXIO)
552
		return (error);
553
		
554
	switch (proto) {
555
	case IPPROTO_AH:
556
	case IPPROTO_ESP:
557
	case IPPROTO_IPCOMP:
558
		/* Do inbound IPsec processing for AH/ESP/IPCOMP */
559
		ipsec_common_input(m, offset,
560
		    offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
561
		return (EINPROGRESS); /* mbuf consumed by IPsec */
562
	default:
563
		/*
564
		 * Protocols with further headers get their IPsec treatment
565
		 * within the protocol specific processing.
566
		 */
567
		if (!ipsec6_lasthdr(proto))
568
			return (0);
569
		/* FALLTHROUGH */
570
	};
571
	/*
572
	 * Enforce IPsec policy checking if we are seeing last header.
573
	 */
574
	if (ipsec6_in_reject(m, NULL) != 0) {
575
		/* Forbidden by inbound security policy */
576
		m_freem(m);
577
		return (EACCES);
578
	}
579
	return (0);
580
}
581

582
int
583
ipsec6_ctlinput(ipsec_ctlinput_param_t param)
584
{
585
	return (0);
586
}
587

588
extern ipproto_input_t	*ip6_protox[];
589

590
/*
591
 * IPsec input callback, called by the transform callback. Takes care of
592
 * filtering and other sanity checks on the processed packet.
593
 */
594
int
595
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
596
    int protoff, struct rm_priotracker *sahtree_tracker)
597
{
598
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
599
	struct epoch_tracker et;
600
	struct ipsec_ctx_data ctx;
601
	struct xform_history *xh;
602
	struct secasindex *saidx;
603
	struct ip6_hdr *ip6;
604
	struct m_tag *mtag;
605
	int prot, af, sproto;
606
	int nxt, isr_prot;
607
	int error, nest;
608
	uint8_t nxt8;
609

610
	IPSEC_ASSERT(sav != NULL, ("null SA"));
611
	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
612
	saidx = &sav->sah->saidx;
613
	af = saidx->dst.sa.sa_family;
614
	IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
615
	sproto = saidx->proto;
616
	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
617
		sproto == IPPROTO_IPCOMP,
618
		("unexpected security protocol %u", sproto));
619

620
	NET_EPOCH_ENTER(et);
621

622
	/* Fix IPv6 header */
623
	if (m->m_len < sizeof(struct ip6_hdr) &&
624
	    (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
625
		DPRINTF(("%s: processing failed for SA %s/%08lx\n",
626
		    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
627
		    sizeof(buf)), (u_long) ntohl(sav->spi)));
628

629
		IPSEC_ISTAT(sproto, hdrops);
630
		error = EACCES;
631
		goto bad;
632
	}
633

634
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
635
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
636
		goto bad;
637

638
	ip6 = mtod(m, struct ip6_hdr *);
639
	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
640

641
	/* Save protocol */
642
	m_copydata(m, protoff, 1, &nxt8);
643
	prot = nxt8;
644

645
	/*
646
	 * Check that we have NAT-T enabled and apply transport mode
647
	 * decapsulation NAT procedure (RFC3948).
648
	 * Do this before invoking into the PFIL.
649
	 */
650
	if (sav->natt != NULL &&
651
	    (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
652
		udp_ipsec_adjust_cksum(m, sav, prot, skip);
653

654
	/* IPv6-in-IP encapsulation */
655
	if (prot == IPPROTO_IPV6 &&
656
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
657
		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
658
			IPSEC_ISTAT(sproto, hdrops);
659
			error = EINVAL;
660
			goto bad;
661
		}
662
		/* ip6n will now contain the inner IPv6 header. */
663
		m_striphdr(m, 0, skip);
664
		skip = 0;
665
	}
666
#ifdef INET
667
	/* IP-in-IP encapsulation */
668
	else if (prot == IPPROTO_IPIP &&
669
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
670
		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
671
			IPSEC_ISTAT(sproto, hdrops);
672
			error = EINVAL;
673
			goto bad;
674
		}
675
		/* ipn will now contain the inner IPv4 header */
676
		m_striphdr(m, 0, skip);
677
		skip = 0;
678
	}
679
#endif /* INET */
680
	else {
681
		prot = IPPROTO_IPV6; /* for correct BPF processing */
682
	}
683

684
	/*
685
	 * Record what we've done to the packet (under what SA it was
686
	 * processed).
687
	 */
688
	if (sproto != IPPROTO_IPCOMP) {
689
		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
690
		    sizeof(struct xform_history), M_NOWAIT);
691
		if (mtag == NULL) {
692
			DPRINTF(("%s: failed to get tag\n", __func__));
693
			IPSEC_ISTAT(sproto, hdrops);
694
			error = ENOMEM;
695
			goto bad;
696
		}
697

698
		xh = (struct xform_history *)(mtag + 1);
699
		bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
700
		xh->spi = sav->spi;
701
		xh->proto = sproto;
702
		xh->mode = saidx->mode;
703
		m_tag_prepend(m, mtag);
704
	}
705

706
	key_sa_recordxfer(sav, m);
707

708
#ifdef INET
709
	if (prot == IPPROTO_IPIP)
710
		af = AF_INET;
711
	else
712
#endif
713
		af = AF_INET6;
714
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
715
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
716
		goto bad;
717
	if (skip == 0) {
718
		/*
719
		 * We stripped outer IPv6 header.
720
		 * Now we should requeue decrypted packet via netisr.
721
		 */
722
		switch (prot) {
723
#ifdef INET
724
		case IPPROTO_IPIP:
725
			isr_prot = NETISR_IP;
726
			break;
727
#endif
728
		case IPPROTO_IPV6:
729
			isr_prot = NETISR_IPV6;
730
			break;
731
		default:
732
			DPRINTF(("%s: cannot handle inner ip proto %d\n",
733
			    __func__, prot));
734
			IPSEC_ISTAT(sproto, nopf);
735
			error = EPFNOSUPPORT;
736
			goto bad;
737
		}
738
		/* Handle virtual tunneling interfaces */
739
		if (saidx->mode == IPSEC_MODE_TUNNEL)
740
			error = ipsec_if_input(m, sav, af, sahtree_tracker);
741
		else
742
			ipsec_sahtree_runlock(sahtree_tracker);
743
		if (error == 0) {
744
			error = netisr_queue_src(isr_prot,
745
			    (uintptr_t)sav->spi, m);
746
			if (error) {
747
				IPSEC_ISTAT(sproto, qfull);
748
				DPRINTF(("%s: queue full; proto %u packet"
749
				    " dropped\n", __func__, sproto));
750
			}
751
		}
752
		NET_EPOCH_EXIT(et);
753
		key_freesav(&sav);
754
		return (error);
755
	}
756

757
	ipsec_sahtree_runlock(sahtree_tracker);
758

759
	/*
760
	 * See the end of ip6_input for this logic.
761
	 * IPPROTO_IPV[46] case will be processed just like other ones
762
	 */
763
	nest = 0;
764
	nxt = nxt8;
765
	while (nxt != IPPROTO_DONE) {
766
		if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
767
			IP6STAT_INC(ip6s_toomanyhdr);
768
			error = EINVAL;
769
			goto bad;
770
		}
771

772
		/*
773
		 * Protection against faulty packet - there should be
774
		 * more sanity checks in header chain processing.
775
		 */
776
		if (m->m_pkthdr.len < skip) {
777
			IP6STAT_INC(ip6s_tooshort);
778
			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
779
			error = EINVAL;
780
			goto bad;
781
		}
782
		/*
783
		 * Enforce IPsec policy checking if we are seeing last header.
784
		 * note that we do not visit this with protocols with pcb layer
785
		 * code - like udp/tcp/raw ip.
786
		 */
787
		if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
788
			error = EINVAL;
789
			goto bad;
790
		}
791
		nxt = ip6_protox[nxt](&m, &skip, nxt);
792
	}
793
	NET_EPOCH_EXIT(et);
794
	key_freesav(&sav);
795
	return (0);
796
bad:
797
	NET_EPOCH_EXIT(et);
798
	ipsec_sahtree_runlock(sahtree_tracker);
799
	key_freesav(&sav);
800
	if (m)
801
		m_freem(m);
802
	return (error);
803
}
804
#endif /* INET6 */
805

806